Identity Governance and Administration Capabilities
Identity governance and administration (IGA) is driven by both the needs of business and technology. While each organization is different, there are many requirements and functions that are used in many organizations in a very similar way. This section describes the IGA functionality in a structured, semi-formalized way, unifying the terminology and description of capabilities and functions. Description of IGA capabilities and functions can be useful for evaluations, gap analyses, maturity models and similar purposes.
Identity Lifecycle Management
Alternative names: Lifecycle management, Identity lifecycle
Functions: Identity lifecycle state model, Maintenance of identity attributes, Identifier management, Credential management, Support for diverse identity types, Organizational structure, Personas
Identity lifecycle management deals with maintenance of digital identities. It maintains state of digital identities through various lifecycle changes, such as creation, modification, archival and deletion.
Entitlement Management
Alternative names: Group management, Privilege management
Functions: Entitlement lifecycle management, Maintenance of entitlement associations
Entitlement management deals with association between identities and entitlements. Entitlements are assigned to an identity, giving an identity access to a particular asset or an operation. These are usually groups, permissions, associations to access control lists, low-level system roles and so on. Simply speaking, entitlement management deals with a question: Who has access to what?
Fulfillment
Alternative names: Provisioning/deprovisioning, Change propagation
Functions: Identity resource management, Communication with remote systems, Handling of fulfilment failures, Identity state tracking, Management of manual fulfillment operations
Simply speaking, fulfilment is a capability that deals with propagation of changes to target systems. Fulfilment creates, modifies and deletes user accounts. Strictly speaking, this capability fulfils the policy, e.g. by creating an account when such an account is mandated by the policy.
Synchronization
Alternative names: Reconciliation, Correlation
Functions: Data feed management, Reconciliation, Data consistency management, Identity correlation, Orphan detection
Synchronization capability provides functions that keep identity data consistent across all the connected systems. While fulfilment can make sure that the account is created in accord with the policy, it is synchronization that makes sure that it stays compliant with the policy all the time. This makes synchronization perhaps the most important infrastructural capability of any IGA platform.
Policy and Role Management
Alternative names: Role management, Role governance, Object governance, Role modeling, Role lifecycle management, Policy management
Functions: Role-based policies, Role structure, Role modeling and governance, Segregation of Duties, Automatic role assignment, Deputy management
The heart of identity governance is about the policies. Policies specify how things should be, what is the ideal state of all the systems and data. As organizations and regulations tend to be quite complex, policies are often complex too. Moreover, policies tend to change in reaction to changed regulations or organizational needs. All of that makes policy management quite a challenging thing to do.
Access Requests
Alternative names: Role request and approval, Role request process, Approvals
Functions: Access request user interface, Management of approval schemes, Execution of approval processes, Maintenance of approval accountability record, Immediate fulfillment of approved requests
Access request is a process for controlled, user-driven assignment of roles and entitlements to users. It is usually implemented as request-and-approval process to assign roles to users. The roles are usually requested by the user using a self-service user interface. The request is then driven through a series of approval steps. When approved, the roles are automatically assigned to the user.
Identity Workflow Automation
Alternative names: Workflow, Identity workflow management, Remediation
Functions: Remediation of policy violations, Case management, Process management, Escalation, Notifications
While identity management strives for automation, there are still tasks in identity management and governance that must be done by humans. These are usually decisions that cannot be made automatically, tasks that do not have algorithmic description, or just a simple notification, letting users know about the progress of a task.
Access Certification
Alternative names: Re-certification, Attestation
Functions: Full certification campaign, Microcertification, Certification of role definitions
Access privileges have a tendency to grow and accumulate. There are many ways to efficiently grant a privilege: formal access request processes, privileges are granted manually by system administrators and various informal side channels. However, privilege accumulation is a risk, as people often keep their privileges forever. Access certification is a process to remove privileges that are no longer necessary. During access certification process, responsible persons must certify that users still need the privileges that were granted to them.
Auditing
Alternative names: Audit trail, Audit logging
Functions: Recording audit trail, Basic audit trail access, Complex audit reporting, Audit integration, Metadata maintenance
Auditing capability is responsible for recording identity-related operations and events. The operations are recorded on business level, containing business-relevant information in the records. Audit data may be used for variety of reports. At least a basic reporting engine capable of searching and displaying audit records is usually included.
Identity Analytics and Reporting
Alternative names: Identity analytics, IdA, Identity analytics and intelligence, Identity intelligence
Functions: Customizable reports and visualizations, Risk assessment, Risk-based triggers, Anomaly detection, Compliance management, Simulation, Role mining
Responsibility of identity analytics and reporting capability lies mostly with analysis of identity data, summarizing and extracting relevant information, providing reports and dashboards, visualising identity information. Identity analytics dive deep into the data, considering identity data in context, using complex models to extract information. One of the most important information extracted from identity data is estimate of risk levels. The information extracted from identity data is used to initiate actions, such as starting remediation processes and triggering microcertifications.
Summary
IGA capabilities vary considerably in individual IGA products on the market. There is an entire subfield of light IGA products that provide only a very limited IGA capabilities. However, even the capabilities of full IGA products significantly vary.